lol .. well nonpersistent XSS are a dime a dozen, can post them all day long..

and while it's correct to say they're not as volatile as persistent ones, they're still equally useful for phishing and cookie/form theft.

still though, i find that the persistent ones tend to have many more possibilities, and on juicier sites to boot..

for example: http://www.myspace.com/malucracker allows persistant XSS from quicktime javascript injection, thanks to pdp for pointing that out on gnucitizen.org

and while i'm at it, another persistant one in the file hoster http://s12.quicksharing.com/v/4813729/xssmaluc.mov.html which does no filtering of the Description field when uploading..

The scariest thing about persistant ones is that links have no indication that it could be malicious (i.e. long hex encoded string) and by the time you can check, it's already too late. Fortunately, (or unfortunately depending on which side of the fence you sit :insert blackhat emoticon: ) these are much less common, but that by no means implies they're rare..

eg. the quicksharing.com one can make people upload an image that contains an identical xss (that might appear in a "recently uploaded" section or something) whereas with reflected xss, the most you can do is, i dunno... generate a new URL that no one's likely to view, anyway?

Reflected can propogate, as long as you can store the string that allows you to run the XSS. For instance, me having an <A HREF=http://... tag that points to an XSS doesn't mean the tag is vulnerable, it means the function it's pointing to is vulnerable. That vulnerable function can save a link, and that link can be used again. I know that mostly seems like persistant, but it's only persistant in that the link to the vector itself is persistant. For instance if I say "click here" and people click on it, that doesn't mean that it's persistant, but yet it did propagate to those users. If they then insert links elsewhere that say "click here" the link again is not the vector, but the function it lands you on contains the string that is vulnerable. Maybe this is academic and not particularly interesting though.

ah, nice find .. and ya, i see it happen with title tags fairly often. i'll have to keep variables involving textareas in mind, because those 'email a friend' forms are pretty common on websites - and usually autofill in atleast one field.

And although this one is from an <input> tag .. i found it because of the email form idea _-_ http://www.yousendit.com/resend_activate.php?email=shameless%20plug:%20%6D%61%6C%75%63%2E%73%69%74%65%73%6C%65%64%2E%63%6F%6D%22%20%3E%3Cscript%3Ealert('XSS')%3C/script><b%20

Any reason, in particular, why you're not doing -moz-binding or using a CSS expression, instead? They may only work in one browser, but they don't require any user intervention, whereas onmouseover does..